New Virus Evolves

A new worm called Hybris has been spreading across computers in Europe, the United States and South America.

While it currently carries a non-destructive payload, some Anti Virus developers are worried that its plug-in architecture could turn it into a much more dangerous virus, opening backdoors in computer systems and escalating the war between virus makers and anti-virus developers.

First discovered in South America by Kapersky Labs, a Russian anti-virus developer, the worm has spread through email to Europe and the United States at an increasing pace.

“Hybris is one of the more common virus we’re seeing right now,” said Brian Kinj, a member of the technical staff at the CERT coordination center.

Because it carries a non-destructive payload, the anti-virus community has been split over the threat level the virus represents. In the United States, the Joint Task Force Computer Network Defense, a division of the US department of defense, has upgraded the virus to a high-risk status. Meanwhile, European virus tracker Peter Kruse, of virus112.com, has announced on Usenet that his company was upgrading the virus threat to a medium risk status, due to the recent spread of the virus in Europe.

Companies like Symantec and Sophos, however, have given the virus a low risk status since it is carrying a non-destructive payload. McAfee, on the other hand has upgraded the virus to a medium risk status based on “its prevalence and commonality.”

In its original version, the virus was spreading as an email attachment but recent reports indicate that it can also propagate itself using ICQ, an instant messaging platform used by over 30 million people. It infects WSOCK32.DLL so it can control the internet connection and intercept email addresses of incoming messages using a method similar to that of the MTX virus. Once it has obtained an address, the virus automatically sends itself to the next computer.

The virus can also modify the winsock DLL if it has been write-protected. What the virus does in this case is make a copy of wsock32.dll, infects the copy and then writes the name of the infected copy in WINIT.INI, therefore replacing wsock32 with an infected version the next time the system is rebooted. The virus also makes a copy of itself with a random name and creates an entry in the Run_Once windows registry key, ensuring that it can recopy itself if erased.

Its originality, however, lies in its plug-in architecture. Using this new model, the virus can connect to either to the alt.comp.virus Usenet newsgroup or to a series of web sites and download new updates, in a way similar to trojan horse programs. By upgrading this component the author is able to completely change the appearance of the worm in unpredictable ways in an attempt to defeat anti-virus products detecting it. Not only is the virus payload updatable but so are the methods for updating in that they are also upgradeable components. To date, all the plug-ins included in the virus have been using a very strong encryption algorithm.

One of the components of the virus searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename.

Another component takes the infected files on your system and uploads them to the alt.comp.virus newsgroup. That component also grabs email addresses from newsgroups the user is subscribed to and sends itself to those email addresses. Over the past few weeks, this seems to have increasingly become the way by which the virus is propagating.

The only existing danger is a payload component, which on the 24th of September of any year, or at 1 minute to the hour at any day in the year 2001, displays a large animated spiral in the middle of the screen which is difficult to close. Due to the fact that most of the plug-ins are non destructive, anti-virus companies see Hybris as a low to medium risk virus.

Given its ability to become malicious, it’s up there but there are more malicious viruses out there said Jeremy Pacquette, vulnerability analyst for securityfocus.com. However, writing code like this is probably more challenging than writing code to stop it.

As medium risks go this is on the higher end of the spectrum, said Patrick Nolan, virus researcher for McAffee.

It illustrates that virus writers are not lazy that a few of them have taken it upon themselves certain skills in order to enhance the cat and mouse games they’re playing with virus software.

Apart from the standard practice of updating your virus file on a daily or weekly basis, Pacquette also recommends that IT manager educate their users about safe ex, the practice of being careful about who you communicate with and not opening plug-ins coming from unfamiliar sources. Kinj added that system administrators should consider installing a centralized email filtering system to protect their users. Nolan adds that people who share their hard drive either through a cable modem, a DSL line or a direct connection to the Internet should password protect that share to ensure that it doesn’t get accessed by the virus writers.

Kaspersky warns that the replacement of certain components could turn it from harmless to hazardous. What we have here is perhaps the most complex and refined malicious code in the history of virus writing, said Eugene Kaspersky, Head of Kapersky Labs’ Anti-Virus Research Center, in a statement on the company’s site. It is defined by an extremely complex style of programming and all the plugins are encrypted with very strong RSA 128-bit crypto-algorithm key. The components themselves give the virus writer the possibility to modify his creation “in real time,” and in fact allow him to control infected computers worldwide.

Those plugins are possibly encrypted with a PGP key or similar scheme used by virus writers, adds Nolan.

The architecture of the plug in approach is interesting and it makes it achievable for a programmer to turn it into a dangerous virus said Pacquette. New threats like this are going to promote changes in the work to fight viruses. These kinds of threats are an evolutionary pressure on AV technology.

However, Kinj said that once a virus has been discovered and analyzed, those sources are disabled and that limits the impact of the virus. Nolan adds that the plug-ins can’t work without the base executable and we now know how to stop the base executable file.

On the other hand, the morphing nature of the virus could spawn several new versions. Already, older anti-virus can’t recognize Hybris because it evades CRC checks. When you’re dealing with something that changes, you can’t use CRC checks but our algorithms go beyond that and can identify threats like Hybris based on other factors said Nolan.

According to warnings on the web sites of several anti-virus developers, the infected message reads:

Today, Snowhite was turning 18.

The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise.

Snowhite was anxious.

Suddlently, the door open, and the Seven Dwarfs enter…

and has been spotted as coming from the address [email protected]. New variants are also sending emails with no subject and no user name but including attachments carrying Hybris.

The virus only attacks windows-based systems and most anti virus packages have released a patch to their software to deal with it. Pami Katcho, spokesperson for Microsoft, said that Microsoft is not currently planning to release a fix, but that users should download the latest virus definitions from their AV vendor.

Sources in both the virus and anti-virus community have confirmed that the virus has emerged from Brazil. It’s a cousin of Babylonia, which was touted as the first of its kind in 1999, and it looks like it was written by the same author, said Nolan.

As to whether Hybris is the beginning of a new trend, there is some disagreement. It’s more a proof of concept than anything, says Nolan. It’s phase 2 of the existing technology and has the potential to really be something else. System administrators should not be overly concerned about it right now. I doubt there will be a phase 3 because the writer has proven his point. But in virus writing circles, Hybris is providing a roadmap. This is a great tool to learn new ways to propagate a payload, said a virus writer who prefers to be unidentified. New variants of this will come out and I think that within 6 months, Hybris and its kids could be the most widespread trojans making the rounds.